GDPR’s Impact on the Insider Threat Mission
Note: this post was originally published on the RedOwl. com Blog
The General Data Protection Regulation (“GDPR”) will become applicable on 25 May 2018 and will enter into force in member states of the European Union as national legislatures adopt implementing laws and regulations. The adoption of the GDPR within the EU has led to questions regarding the application of the new regulation to insider threat screening programs in Europe. (The United Kingdom provides a special case as the adoption of GDPR may, or may not, be effected by ongoing negotiations regarding Britain’s decision to leave the Union.)
The GDPR arises from the context of the existing Data Protection Directive. Our conclusion is that the GDPR does not significantly change existing legal requirements and that most insider threat programs can be implemented in a manner consistent with legal requirements.
This conclusion comes with caveats: First, an insider threat program is more likely to be acceptable to the extent it is grounded in legal necessity (e.g. a compliance mandate). Second, the program must be transparent to employees. And, third, significant reservations may arise if the program incorporates non-enterprise data (e.g. outside social media) into the threat model.
The Privacy Framework
Today, employee monitoring is, generally, subject to the Data Protection Directive which regulates the collection and use of personal data across all sectors of the economy. In the context of employee monitoring, the Article 29 Working Party (“WP29” — a group of representatives from the Data Protection Authorities of the Member States) issued a working paper (WP55) which, generally disfavors employee monitoring. The paper acknowledges, however, that monitoring is permissible when there are “specific and important” business reasons.
Article 88 of the GDPR directly addresses the question of “Processing in the Context of Employment.” It provides that Member States may, by law or collective agreement, provide for more specific rules to ensure relating to the processing of employee data. Article 88 specifically calls out the protection of an employer’s or customer’s property as grounds for processing employment-related data. And, as the WP29 noted with respect to the Data Protection Directive, some of these grounds might arise because of the need to perform a contract; from a legal obligation (like, a compliance requirement) or from some other legitimate employer interest.
This overall reading was confirmed earlier this month by another opinion from the WP29, on processing employee data. To be sure, the WP29 opinion sounded a note of caution about large-scale, disproportionate data processing. And it expressed significant concern about employee privacy (as, for example, in its skepticism about the deployment of a TLS decryption appliance (p.13)). However, the working party also acknowledged, again, that legitimate interests of the employer may justify some practices. Thus, for example, the opinion makes clear that employers may monitor the LinkedIn profiles of former employees for the duration of non-compete clauses (p.12).* Likewise, the working party acknowledges that an employer may deploy a Data Loss Prevention tool, providing its use is fully justified and measures are taken to mitigate risks to the employee’s personal privacy (p.15).
As noted, the GDPR has yet to take effect. And its implementation will vary from Member State to Member State based upon unique legal principles of each nation. The WP29 opinion issued this month will provide useful guidance to Member State legislatures but does not bind them.
In our view, a carefully crafted insider threat program will likely satisfy the privacy concerns of the EU. Broadly speaking, EU privacy law rests on principles of necessity, finality, transparency, proportionality, accuracy, and security. An enterprise’s operational activity should act within these parameters:
- Compliance monitoring is necessary to achieve the mandated purpose of compliance with regulatory requirements
- The requirements are typically “specified, explicit, and legitimate”
- The program is implemented in a transparent manner with notice to the employees
- The monitoring is proportionate to the need and reduces unwarranted intrusions into employee privacy
- The program allows the customer to set its own data retention rules regarding how long collected data will be maintained, enabling compliance with jurisdiction-specific mandates
- And, access control and immutable logging functions work to ensure accuracy and security
- Meanwhile, the data-masking capability will, where available, ensure that more sensitive content information is only disclosed when and if there is predication for the disclosure, again, enhancing proportionality.
*The opinion also requires the employer to establish the necessity of the monitoring, examine if less invasive means are available, and inform the employee about the extent of the observation.